The federal government’s proposed data sharing laws have stumbled at the first hurdle despite two years of development, with a senate committee raising a series of privacy concerns with the Data Availability and Transparency Bill.
The bill, which was introduced to parliament in December, aims to make it easier for the public sector to share data within government and across the private sector for the purposes of delivering government services and support research and development.
It intends to unlock data with a scheme that gives agencies an optional pathway to share data with accredited entities, overriding some 500 data secrecy and confidentiality provisions in 175 pieces of existing legislation.
Personal information and sensitive data collected by agencies, except sensitive data handled under other legislation (think My Health Record, COVIDSafe app, national security), is potentially sharable under the scheme.
Under the bill, agencies are required to seek consent before releasing personal information unless unreasonable or impractical – an improvement on an earlier version that only encouraged consent to be sought.
But in its first pass review of the legislation, the bipartisan senate standing committee for the scrutiny of bills last week said it was concerned by the “significant amount of flexibility in the meaning of ‘unreasonable or impracticable’”.
“This may undermine the effectiveness of [the clause] as a safeguard against undue trespass on the privacy of individuals whose data may be shared under the scheme,” it said in its scrutiny digest of the bill [pdf].
It also flagged concerns that there are “no requirements for sharing only de-identified data in the principles or elsewhere in the bill”, despite the intention of the data principles being to minimise the sharing of personal information.
The bill or the explanatory memorandum similarly has no definition of public interest, while at the same time requiring a public interest judgement to be made about whether a data release serves the public interest, the report said.
More generally, the committee said that the bill, "in enabling the sharing of data including personal information, has the potential to trespass on an individual's right to privacy”.
The committee also took issue with the “broad construction” of the three permitted data sharing purposes – being the “delivery of government services, to inform government policy and programs, and research and development” – for “risk interpretation”.
“The committee’s view is that significant matters, such as privacy safeguards and the permissible scope for sharing personal information, should be included in primary legislation unless a sound justification for the use of delegated legislation is provided,” it said.
“The committee’s scrutiny concerns in this regard are heightened by the breadth of the application of the bill, in particular that data may be shared with private sector entities with no requirements that the safeguards that apply to, for example, university research, apply to these entities.”
The committee has asked government services minister Stuart Robert for advice on whether the bill can be amended to provide guidance on the circumstances where gaining consent is unreasonable or impractical and to include a public interest test.
It has also asked that the scope of permitted data sharing purposes be clarified, as well as require that, where possible, data that includes personal information or sensitive information is shared in a de-identified way.
The Data Availability and Transparency Bill was referred to the Senate Finance and Public Administration Legislation Committee for further review on Thursday, with a report expected to be returned by April 29.